UDP Syslog Traffic versus Raw Network Capture

I have a diagram where there is a line of  UDP syslog traffic flowing from a switch to a web security device and another line extending from the switch to a live-human monitoring station.
What is the difference between UDP syslog traffic and raw network traffic?
brothertruffle880Asked:
Who is Participating?
 
eeRootConnect With a Mentor Commented:
Depends on how the capture tools have been configured.  But generally speaking, syslog servers will show a log of events (alerts, informational, debugging, etc) while monitoring network traffic shows every packet that goes across your network.  Network monitors (such a spanned/mirrored ports or hardware tabs) show much more info, but it can be too much info sometimes.
0
 
btanConnect With a Mentor Exec ConsultantCommented:
Log vs packets. The traffic payload details are mostly found in packet or raw traffic while the syslog would have normalised and surface the events depending how device source is configured. Syslog is at max based on rfc 5424 (http://tools.ietf.org/html/rfc5424) at 2048bytes. Packet capture has much larger size storage needed, e.g. it can be est 32 MB file saved every 15 minutes

Specifically the raw syslog data can be substantial depending on typical severity level that is set e.g. level (0 to 7): emergencies (0), alerts (1), critical (2), errors (3), warnings (4), notifications (5), informational (6), or debugging (7). The higher the level, the more messages (and types of messages) that are generated.

You tend to pipe the SPAN port of switch which carries the same raw traffic to further analysis such as AV scan, content filter, breach detection system passive inline deployed. in other words with raw packet traffic you can do more but with log you only get what the source wanted you to see. SIEMS  is mostly the reason for having centralised logging of all syslog piped to it.

While there are no strict guidelines pertaining to the log format, most syslog messages are generated in human-readable form with the assumption that capable administrators should be able to read them and understand their meaning.  Note that standard syslog protocol does not have mechanisms to provide confidentiality for the messages in transit. In most cases, passing clear-text messages is a benefit to the operations staff as compared to the raw packets from the wire.  The operations staff may be able to read the messages and associate them with other events seen from other packets crossing the wire to track down and correct problems.
0
 
giltjrConnect With a Mentor Commented:
One way to think of the difference between syslog data and raw network traffic is the difference between a MS Word Document and a file.  

While a MS Word Document and a MS Excel Spread sheet are both files, what make them differnet/unique is the content within the file.  So MS Word document is a subset of "files."

Syslog data is really a subset of "raw network data."

As the others have posted, my guess in your case, the "raw network data" is a result of port mirroring (either using SPAN or RSPAN or something like that) vs. a connection that is setup to send traffic to a syslog server.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.